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This Technical Specification (TS) has been produced by ETSI Technical Committee Methods for Testing and 
Specification (MTS). 
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Scope 



The purpose of the present document is to provide Test Suite Structure and Test Purposes (TSS&TP) for conformance 

tests of the security IPv6 protocol based on the requirements defined in the IPv6 requirements catalogue 

(TS 102 558 [2]) and written according to the guidelines of TS 102 351 [1], ISO/IEC 9646-2 [4] and ETS 300 406 [5]. 



References 



References are either specific (identified by date of publication and/or edition number or version number) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• Non-specific reference may be made only to a complete document or a part thereof and only in the following 

cases: 

if it is accepted that it will be possible to use all future changes of the referenced document for the 
purposes of the referring document; 

for informative references. 

Referenced documents which are not found to be publicly available in the expected location might be found at 
http://docbox.etsi.org/Reference . 

For online referenced documents, information sufficient to identify and locate the source shall be provided. Preferably, 
the primary source of the referenced document should be cited, in order to ensure traceability. Furthermore, the 
reference should, as far as possible, remain valid for the expected life of the document. The reference shall include the 
method of access to the referenced document and the full network address, with the same punctuation and use of upper 
case and lower case letters. 

NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee 
their long term validity. 

2.1 Normative references 

The following referenced documents are indispensable for the application of the present document. For dated 
references, only the edition cited applies. For non-specific references, the latest edition of the referenced document 
(including any amendments) applies. 

[1] ETSI TS 102 351: "Methods for Testing and Specification (MTS); Internet Protocol Testing (IPT); 

IPv6 Testing: Methodology and Framework". 

[2] ETSI TS 102 558: "Methods for Testing and Specification (MTS); Internet Protocol Testing (IPT): 

IPv6 Security; Requirements Catalogue". 

[3] ISO/IEC 9646-1: "Information technology - Open Systems Interconnection - Conformance testing 

methodology and framework - Part 1: General concepts". 

[4] ISO/IEC 9646-2: "Information technology - Open Systems Interconnection - Conformance testing 

methodology and framework - Part 2: Abstract Test Suite specification". 

[5] ETSI ETS 300 406: "Methods for Testing and Specification (MTS); Protocol and profile 

conformance testing specifications; Standardization methodology". 
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2.2 Informative references 



The following referenced documents are not essential to the use of the present document but they assist the user with 
regard to a particular subject area. For non-specific references, the latest version of the referenced document (including 
any amendments) applies. 

Not applicable. 



3 Definitions and abbreviations 

3.1 Definitions 

For the purposes of the present document, the following terms and definitions apply: 

abstract test case: Refer to ISO/IEC 9646-1 [3]. 

Abstract Test Method (ATM): Refer to ISO/IEC 9646-1 [3]. 

Abstract Test Suite (ATS): Refer to ISO/IEC 9646-1 [3]. 

Implementation Under Test (lUT): Refer to ISO/IEC 9646-1 [3]. 

Lower Tester (LT): Refer to ISO/IEC 9646-1 [3]. 

Test Purpose (TP): Refer to ISO/IEC 9646-1 [3]. 



3.2 Abbreviations 

For the purposes of the present document, the following abbreviations apply: 

AH Authentication Header 

ATM Abstract Test Method 

ATS Abstract Test Suite 

ESP Encapsulating Security Payload 

ICV Integrity Check Value 

IETF Internet Engineering Task Force 

IKE Internet Key Exchange 

IPv6 Internet Protocol version 6 

lUT Implementation Under Test 

LT Lower Test 

RC Requirements Catalogue 

RQ Requirement 

TP Test Purpose 

TSS Test Suite Structure 

UDP User Datagram Protocol 



Test Suite Structure (TSS) 



Test Purposes have been written for IPv6 mobile nodes, correspondent nodes and home agents according to the 
Requirements (RQ) of the Requirements Catalogue (RC) in TS 102 558 [2]. Test purposes have been written for 
behaviours requested with "MUST" or "SHOULD", optional behaviour described with "MAY" or similar wording 
indicating an option has not been turned into test purposes. 

The test purposes have been divided into three groups: 

Group 1 : Authentication Header (AH) 

Group 2: Encapsulating Security Payload (ESP) 
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Group 3: Key Exchange (IKEv2) Protocol 
The sub-grouping of these three groups follows the structure of the RC. 
Group 1 : Authentication Header (AH) 
Group 2: Encapsulating Security Payload (ESP) 
Group 3: Key Exchange (IKEv2) Protocol 

Group 3.1 Exchange Message Structures 
Group 3.2 IKE Header and Payload Formats 
Group 3.2.1 Configuration payload 
Group 3.2.2 IKE Error Types 
Group 3.3 IKE Informational Exchanges 
Group 3.4 IKE Protocol 

Group 3.4.1 Authentication 

Group 3.4.1.1 Extensible Authentication Methods 
Group 3.4.2 Error Handling 
Group 3.4.3 General Protocol Handling 

Group 3.4.3.1 Address and Port Agility 
Group 3.4.3.2 IP Compression (IPComp) 
Group 3.4.3.3 Message Format 
Group 3.4.3.4 Overlapping Requests 
Group 3.4.3.5 Request Internal Address 
Group 3.4.3.6 Retransmission Timers 
Group 3.4.3.7 Version Compatibility 
Group 3.4.4 Security Parameter Negotiation 
Group 3.4.4.1 Algorithm Negotiation 
Group 3.4.4.2 Cookies 
Group 3.4.4.3 Rekeying 
Group 3.4.4.4 Traffic Selector Negotiation 
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Annex A (normative): 
Test Purposes (TP) 



The test purposes have been written in the formal notation TPlan as described in annex A of TS 102 351 [1]. This 
original textual output ASCII file (SEC.tplan) is contained in archive ts_102593v010102p0.zip which accompanies the 
present document. The raw text file has been converted to a table format in this annex to allow better readability. 

The two formats shall be considered equivalent. In the event that there appears to be syntactical or semantic differences 
between the two then the textual TPlan representation takes precedence over the table format in this annex. 



A.1 Authentication Header (AH) 



Test Purpose 


Identifier: 


TP SEC 2000 01 


Summary: 


Test of generating first unicast IPv6 pacl<ets witli Autlientication Header 


References: 


RQ 002 2000, RQ 002 2006, RQ 002 2011, RQ 002 2013, RQ 002 2015, RQ 002 2017, 
RQ 002 2027, RQ 002 2032, RQ 002 2033, RQ 002 2034, RQ 002 2036 


lUT Role: 


Ipsec host Test Case: 


TC SEC 2000 01 1 


with { lUT and destination node established in an AH security association 

} 
ensure that 

{ when { lUT is requested to send first unicast IPvePacket 
containing Authentication Header } 
then { lUT sends IPvSPacket 

containing next header field of previous header 
set to 51 
and containing (Authentication Header 

containing Security Parameters Index 
set to Security Parameters Index 

received from destination node 
during SA establishment 
and containing sequence number set to 1 
and containing correctly calculated 
Integrity Check Value 
including necessary padding bits) } 
} 



Test Purpose 


Identifier: 


TP SEC 2000 02 


Summary: 


Test of generating subsequent unicast IPv6 pacl<ets with Authentication Header 


References: 


RQ 002 2000, RQ 002 2006, RQ 002 2011, RQ 002 2012, RQ 002 2015, RQ 002 2017, 
RQ 002 2027, RQ_002_2032, RQ 002 2033, RQ_002_2034, RQ 002 2036 


lUT Role: 


Ipsec host Test Case: 


TC SEC 2000 02 | 


with { lUT and destination node established in an AH security association 

} 
ensure that 

{ when { lUT is requested to send subsequent unicast IPv6Packet 

containing Authentication Header } 

then { lUT sends IPv6Packet 

containing next header field of previous header 

set to 51 

and containing (Authentication Header 

containing Security Parameters Index 

set to Security Parameters Index 

received from destination node 

during SA establishment 

and containing sequence number set to 

(sequence number of previous IPvGPacket) plus 1 

and containing correctly calculated 

Integrity Check Value 

including necessary padding bits) } 

} 
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Test Purpose 


Identifier: 


TP SEC 2000 03 


Summary: 


Test of generating first multicast IPv6 packets with Authentication Header 


References: 


RQ 002 2000, RQ 002 2007, RQ 002 2011, RQ 002 2013, RQ 002 2015, RQ 002 2017, 
RQ 002 2027, RQ 002 2032, RQ 002 2033, RQ 002 2034, RQ 002 2036 


lUT Role: 


Ipsec host Test Case: 


TC SEC 2000 03 | 


with { lUT established in a multicast group AH Security Association 

} 
ensure that 

{ when { lUT is requested to send first multicast IPvSPacket 
containing Authentication Header } 
then { lUT sends IPvGPacket 

containing next header field of previous header 
set to 51 
and containing (Authentication Header 

containing Security Parameters Index 

assigned to multicast group 

Security Association 
and containing sequence number set to 1 
and containing correctly calculated 

Integrity Check Value 

including necessary padding bits) } 

} 



Test Purpose | 


Identifier: 


TP SEC 2000 04 


Summary: 


Test of generating subsequent multicast IPv6 packets with Authentication Header 


References: 


RQ 002 2000, RQ 002 2007, RQ 002 2011, RQ 002 2012, RQ 002 2015, RQ 002 2017, 
RQ 002 2027, RQ_002_2032, RQ 002 2033, RQ_002_2034, RQ 002 2036 


lUT Role: 


Ipsec host Test Case: 


TC SEC 2000 04 | 


with { lUT established in multicast group AH Security Association 

} 
ensure that 

{ when { lUT is requested to send subsequent multicast IPv6Packet 
containing Authentication Header } 
then { lUT sends IPv6Packet 

containing next header field of previous header 
set to 51 
and containing (Authentication Header 

containing Security Parameters Index 
set to Security Parameters Index 

assigned to multicast group 

Security Association 
and containing sequence number set to 

(sequence number of previous IPv6Packet) plus 1 
and containing correctly calculated 
Integrity Check Value 
including necessary padding bits) } 
} 



Test Purpose | 


Identifier: 


TP SEC 2009 01 


Summary: 


Test reaction on IPv6 packets for unknown SA 


References: 


RQ 002 2009 


lUT Role: 


Ipsec host iTestCase: ITC SEC 2009 01 


with { lUT established in AH Security Association 

} 
ensure that 

{ when { lUT receives IPv6Packet 

containing (Authentication Header 

containing Security Parameters Index 
unrelated to established 
Security Association) } 
then { lUT discards IPv6Packet } 

} 
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Test Purpose 



Identifier: 



TP SEC 2042 01 



Summary: 



Test reaction on IPv6 packets with AH header and fragmentation header 



References: 



RQ 002 2042 



lUT Role: 



lpsec_host 



Test Case: 



TC SEC 2042 01 



with { lUT and destination_node established In an AH_security_association 

} 
ensure that 

{ when { lUT receives IPvSPacket 

containing Authentication_Header 
and containing (FragmentHeader 

containing offset not set to 0) } 
then { lUT discards IPv6Packet } 
} 



Test Purpose | 


Identifier: 


TP SEC 2046 01 


Summary: 


Test reaction on IPv6 packets with AH header when no SA exists 


References: 


RQ 002 2046 


lUT Role: 


Ipsec host iTestCase: |TC SEC 2046 01 


with { lUT and destination node not established In an AH Security Association 

} 
ensure that 

{ when { lUT receives IPv6Packet 

containing Authentication Header } 

then { lUT discards IPv6Packet } 

} 



Test Purpose 



Identifier: 



TP SEC 2053 01 



Summary: 



Test reaction on IPv6 packets with AH header with incorrect sequence number 



References: 



RQ 002 2053 



lUT Role: 



lpsec_host 



Test Case: 



TC SEC 2053 01 



with { lUT and destination_node established In an AH_security_association 
and lUT and destination_node 'having already exchanged 

at least one packet ' 

} 
ensure that 

{ when { lUT receives IPv6Packet 

containing (Authentication_Header 

containing sequencenumber 

set to sequence_nuniber received 
In previous IPv6packet) } 
then { lUT discards IPv6Packet } 



Test Purpose 


Identifier: 


TP SEC 2057 01 


Summary: 


Test reaction on IPv6 packets with AH header with correct ICV value 


References: 


RQ 002 2057, RQ 002 2028 


lUT Role: 


Ipsec host iTestCase: ITC SEC 2057 01 


with { lUT and destination node established In an AH security association 

} 
ensure that 


{ when { lUT receives IPv6Packet 


containing (Authentication Header 


containing Integrity Check Value 


calculated from Security Association data 


and packet contents) } 


then { lUT accepts IPv6Packet } 
} 
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Test Purpose 


Identifier: 


TP SEC 2058 01 


Summary: 


Test reaction on IPv6 packets with AH lieader with incorrect ICV value 


References: 


RQ 002 2058, RQ 002 2028 


lUT Role: 


Ipsec host iTestCase: |TC SEC 2058 01 


with { lUT and destination node established in an AH security association 

} 
ensure that 


{ when { lUT receives IPvGPacket 


containing (Authentication Header 


containing Integrity Check Value 


not calculated from Security Association data 


and packet contents) } 


then { lUT discards IPv6Packet } 
} 



A.2 Encapsulating Security Payload (ESP) 



Test Purpose 


Identifier: 


TP SEC 3030 01 


Summary: 


Test reaction on ESP dummy packet 


References: 


RQ 002 3030 


lUT Role: 


Ipsec host |Test Case: |TC SEC 3030 01 


with { lUT and destination node established in an ESP Security Association 

} 
ensure that 

{ when { lUT receives IPv6Packet 

containing (ESP Header 

containing next header field set to 59) } 
then { lUT discards IPv6Packet } 

} 



Test Purpose 



Identifier: 



TP SEC 3061 01 



Summary: 



Test reaction on IPv6 packets with ESP header when no SA exists 



References: 



RQ 002 3061, RQ 002 3091 



lUT Role: 



lpsec_host 



Test Case: 



TC SEC 3061 01 



with { lUT 'has not established ESP Security Association with destination Node' 

} 
ensure that 

{ when { lUT receives IPv6Packet 

containing ESPHeader } 
then { lUT discards IPvGPacket } 
} 



Test Purpose 



Identifier: 



TP SEC 3068 01 



Summary: 



Test reaction on IPv6 packets with ESP header with correct ICV value 



References: 



RQ 002 3068, RQ 002 3072 



lUT Role: 



lpsec_host 



Test Case: 



TC SEC 3068 01 



with { lUT and destination_node established in an ESP_Security_Association 
and lUT 'having enabled anti-replay service' 

} 
ensure that 

{ when { lUT receives IPvGPacket 

containing (ESPHeader 

containing sequencenumber 

set to sequence_number from received IPvGPacket) } 
then { lUT discards IPvGPacket } 
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Test Purpose 


Identifier: 


TP SEC 3077 01 


Summary: 


Test reaction on IPv6 packets with ESP header with correct ICV value 


References: 


RQ 002 3077 


lUT Role: 


Ipsec host iTestCase: |TC SEC 3077 01 


with { lUT and destination node established in an ESP Security Association 
and ESP Security Association configured to use 

combined confidentiality and integrity algorithms 

} 
ensure that 

{ when { lUT receives IPv6Packet 

containing (ESP Header 

containing Integrity Check Value 
calculated from Security Association data 
and packet contents) } 
then { lUT accepts IPv6Packet } 

} 



Test Purpose | 


Identifier: 


TP SEC 3078 01 


Summary: 


Test reaction on IPv6 pacl<ets with ESP header with incorrect ICV value 


References: 


RQ 002 3078, RQ 002 3077 


lUT Role: 


Ipsec host Test Case: TC SEC 3078 01 


with { 




lUT and destination node established in an ESP Security Association 




and 


EISP Security Association configured to use 


} 
ensure 




combined confidentiality and integrity algorithms 


that 




{ 


when 


{ lUT receives IPvSPacket 

containing (ESP Header 

containing Integrity Check Value 
not calculated from Security Association data 
and packet contents) } 


} 


then 


{ lUT discards IPv6Packet } 



Test Purpose | 


Identifier: 


TP SEC 3080 01 


Summary: 


Test reaction on IPv6 packets with ESP header with correct ICV value 


References: 


RQ 002 3080 


lUT Role: 


Ipsec host ITestCase: |TC SEC 3080 01 


with { 




lUT and destination node established in an ESP Security Association 




and 


EISP Security Association configured to use 


} 
ensure 




separate confidentiality and integrity algorithms 


that 




{ 


when 


{ lUT receives IPvSPacket 

containing (ESP Header 

containing Integrity Check Value 
calculated from Security Association data 
and packet contents) } 


} 


then 


{ lUT accepts IPvSPacket } 
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Test Purpose 


Identifier: 


TP SEC 3083 01 


Summary: 


Test reaction on IPv6 packets with ESP lieader with incorrect ICV value 


References: 


RQ 002 3083, RQ 002 3080 


lUT Role: 


Ipsec host iTestCase: |TC SEC 3083 01 


with { 




lUT and destination node established in an ESP Security Association 




and 


e;SP Security Association configured to use 


} 
ensure 




separate confidentiality and integrity algorithms 


that 




{ 


when 


{ lUT receives IPv6Packet 

containing (ESP Header 

containing Integrity Check Value 
not calculated from Security Association data 
and packet contents) } 


} 


then 


{ lUT discards IPvSPacket } 



Test Purpose 



Identifier: 



TP SEC 3102 01 



Summary: 



Test of generating first unicast IPv6 packets with ESP Header, transport mode 



References: 



RQ_002_3102, RQ_002_3004, RQ_002_3005, RQ_002_3009, 
RQ 002 3037, RQ 002 3113 



RQ 002 3012, RQ 002 3027, 



lUT Role: 



lpsec_host 



Test Case: 



TC SEC 3102 01 



with { lUT and destination_node established in an ESP_Security_Association 
and ESP_Security_Association configured to use 

separate_conf identiality_and_integrity_algorithms 

} 
ensure that 

{ when { lUT is requested to send first IPv6Packet in transportmode 
containing ESPHeader } 
then { lUT sends IPv6Packet in transport_mode 

containing next_header_f ield of previous_header 
set to 50 
and containing (ESPHeader 

containing Security_Parameters_Index 
set to Security_Parameters_Index 

received from destinationnode 
during SA_establishment 
and containing sequencenumber set to 1 
and containing necessary paddingbytes 
and containing padlength 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary paddingbits) } 
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Test Purpose 



Identifier: 



TP_SEC_3102_02 

Test of generating subsequent unicast IPv6 packets with ESP Header, transport mode 



Summary: 



References: 



RQ_002_3102, RQ_002_3004, RQ_002_3005, RQ_002_3006, RQ_002_3009, RQ_002_3027, 
RQ 002 3037, RQ 002 3112 



lUT Role: 



lpsec_host [Test Case: |TC_SEC_3102_02 



with { lUT and destination_node established In an ESP_Security_Association 
and ESP_Security_Association configured to use 

separate_conf identiality_and_integrity_algorithms 

} 
ensure that 

{ when { lUT Is requested to send subsequent IPvSPacket In transportmode 
containing ESPHeader } 
then { lUT sends IPvSPacket In transport_mode 

containing next_header_f ield of previous_header 
set to 50 
and containing (ESPHeader 

containing SecurityParametersIndex 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequencenumber set to 

(sequence_number of previous IPvGPacket) plus 1 
and containing necessary paddingbytes 
and containing padlength 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
Including necessary paddingbits) } 

} 



Test Purpose 



Identifier: 



TP SEC 3103 01 



Summary: 



Test of generating first unicast IPv6 pacl<ets witli ESP Header, tunnel mode 



References: 



RQ_002_3103, RQ_002_3004, RQ_002_3005, RQ_002_3009, RQ_002_3012, RQ_002_3027, 
RQ_002_3037, RQ_002_3092, RQ_002_3113 



lUT Role: 



lpsec_host [Test Case: |TC_SEC_3103_01 



with { lUT and destination_node established In an ESP_Security_Association 
and ESP_Security_Association configured to use 

separate_conf identiality_and_integrity_algorithms 

} 
ensure that 

{ when { lUT Is requested to send first IPvSPacket In tunnelmode 
containing ESPHeader } 
then { lUT sends IPvSPacket In tunnel_mode 

containing next_header_f ield of previous_header 
set to 50 
and containing (ESPHeader 

containing SecurityParametersIndex 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequencenumber set to 1 
and containing necessary paddingbytes 
and containing padlength 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary paddingbits) } 
} 
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Test Purpose 



Identifier: 



TP SEC 3103 02 



Summary: 



Test of generating subsequent unicast IPv6 packets with ESP Header, tunnel mode 



References: 



RQ_002_3103, RQ_002_3004, RQ_002_3005, 
RQ 002 3037, RQ 002 3092, RQ 002 3112 



RQ 002 3006, RQ 002 3009, RQ 002 3027, 



lUT Role: 



lpsec_host 



Test Case: 



TC SEC 3103 02 



with { lUT and destination_node established In an ESP_Security_Association 
and ESP_Security_Association configured to use 

separate_conf identiality_and_integrity_algorithms 

} 
ensure that 

{ when { lUT Is requested to send subsequent IPvSPacket In tunnelmode 
containing ESPHeader } 
then { lUT sends IPvSPacket In tunnel_mode 

containing next_header_f ield of previous_header 
set to 50 
and containing (ESPHeader 

containing SecurityParametersIndex 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequencenumber set to 

(sequence_number of previous IPvGPacket) plus 1 
and containing necessary paddingbytes 
and containing padlength 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
Including necessary paddingbits) } 



Test Purpose 



Identifier: 



TP SEC 3107 01 



Summary: 



Test of generating first unicast IPv6 packets with ESP Header, transport mode 



References: 



RQ_002_3102, RQ_002_3004, RQ_002_3005, RQ_002_3009, RQ_002_3012, RQ_002_3027, 
RQ 002 3113 



lUT Role: 



lpsec_host 



Test Case: 



TC SEC 3107 01 



with { lUT and destination_node established In an ESP_Security_Association 
and ESP_Security_Association configured to use 

combined_conf identiality_and_integrity_algorithms 



} 
ensure that 
{ when 



{ 



lUT Is requested to send first IPvSPacket In transportmode 
containing ESPHeader } 
then { lUT sends IPvSPacket In transport_mode 

containing next_header_f ield of previous_header 
set to 50 
and containing (ESPHeader 

containing SecurityParametersIndex 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequencenumber set to 1 
and containing necessary paddingbytes 
and containing padlength 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary paddingbits) } 
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Test Purpose 



Identifier: 



TP_SEC_3107_02 

Test of generating subsequent unicast IPv6 packets with ESP Header, transport mode 



Summary: 



References: 



RQ_002_3107, RQ_002_3004, RQ_002_3005, RQ_002_3006, RQ_002_3009, RQ_002_3027, 
RQ 002 3112 



lUT Role: 



lpsec_host [Test Case: |TC_SEC_3107_02 



with { lUT and destination_node established In an ESP_Security_Association 
and ESP_Security_Association configured to use 

conibined_conf identiality_and_integrity_algorithms 

} 
ensure that 

{ when { lUT Is requested to send subsequent IPvSPacket In transportmode 
containing ESPHeader } 
then { lUT sends IPvSPacket In transport_mode 

containing next_header_f ield of previous_header 
set to 50 
and containing (ESPHeader 

containing SecurityParametersIndex 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequencenumber set to 

(sequence_number of previous IPvGPacket) plus 1 
and containing necessary paddingbytes 
and containing padlength 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
Including necessary paddingbits) } 

} 



Test Purpose 



Identifier: 



TP SEC 3108 01 



Summary: 



Test of generating first unicast IPv6 pacl<ets witli ESP Header, tunnel mode 



References: 



RQ_002_3108, RQ_002_3004, RQ_002_3005, RQ_002_3009, RQ_002_3012, RQ_002_3027, 
RQ 002 3092, RQ 002 3113 



lUT Role: 



lpsec_host [Test Case: |TC_SEC_3108_01 



with { lUT and destination_node established In an ESP_Security_Association 
and ESP_Security_Association configured to use 

combined_conf identiality_and_integrity_algorithms 

} 
ensure that 

{ when { lUT Is requested to send first IPvSPacket In tunnelmode 
containing ESPHeader } 
then { lUT sends IPvSPacket In tunnel_mode 

containing next_header_f ield of previous_header 
set to 50 
and containing (ESPHeader 

containing SecurityParametersIndex 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequencenumber set to 1 
and containing necessary paddingbytes 
and containing padlength 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary paddingbits) } 
} 
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Test Purpose 



Identifier: 



TP SEC 3108 02 



Summary: 



Test of generating subsequent unicast IPv6 packets with ESP Header, tunnel mode 



References: 



RQ_002_3108, RQ_002_3004, RQ_002_3005, RQ_002_3006, RQ_002_3009, 
RQ 002 3092, RQ 002 3112 



RQ 002 3027, 



lUT Role: 



lpsec_host 



Test Case: 



TC SEC 3108 02 



with { lUT and destination_node established In an ESP_Security_Association 
and ESP_Security_Association configured to use 

conibined_conf identiality_and_integrity_algorithms 

} 
ensure that 

{ when { lUT Is requested to send subsequent IPvSPacket In tunnelmode 
containing ESPHeader } 
then { lUT sends IPvSPacket In tunnel_mode 

containing next_header_f ield of previous_header 
set to 50 
and containing (ESPHeader 

containing SecurityParametersIndex 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequencenumber set to 

(sequence_number of previous IPvGPacket) plus 1 
and containing necessary paddingbytes 
and containing padlength 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
Including necessary paddingbits) } 



A.3 Key Exchange (IKEv2) Protocol 
A.3.1 Exchange Message Structures 



Test Purpose | 


Identifier: 


TP SEC 6400 01 


Summary: 


Test of generating IKE SA INIT request 


References: 


RQ 002 6400, RQ 002 6034, RQ 002 6077, 


RQ 002 6084, RQ 002 


6085, 


RQ 


002 


6086, 




RQ 002 6128, RQ 002 6129, RQ 002 6232, 


RQ 002 6236, RQ 002 


6240, 


RQ 


002 


6250, 




RQ 002 6263, RQ 002 6304, RQ 002 6344 












lUT Role: 


Host Test Case: 


|TC SEC 


6400 


01 






with { lUT ready to establish a Security Association using 

} 
ensure that 


IKEv2 




















{ when { lUT Is requested to send IKE SA INIT request 


} 










then { lUT sends IKE SA INIT request 












containing (IKE Header 












containing IKE SA Initiators 


SPI not set to 










and containing IKE SA Responders 


SPI set to 










and containing Major Version set 


to 2 










and containing Exchange Type set 


to 34 IKE SA INIT 










and containing Flags set to 00010000 'B' 










and containing Message ID set to 


0) 










and containing (Security Association payload 












containing at least 1 Proposal 










containing at least 1 Transform) 










and containing Key Exchange payload 












and containing (Nonce payload 












containing Nonce Data 












of at least 128 bits 












and 'at least half the prf key length') } 
} 











ETSI 



18 



ETSI TS 102 593 VI .2.0 (2008-04) 



Test Purpose 


Identifier: 


TP SEC 6401 01 


Summary: 


Test reaction on IKE SA INIT request 


References: 


RQ 002 6401, RQ 002 6036, RQ 002 6232, RQ 002 6233, RQ 002 
RQ 002 6250, RQ 002 6263, RQ 002 6304, RQ 002 6344 


_6236, 


RQ_002_6240, 


lUT Role: 


Host iTestCase: |TC SEC 


6401 


01 


with { lUT ready to establish Security Association using IKEv2 

} 
ensure that 










{ when { lUT receives IKE SA INIT request } 






then { lUT sends IKE SA INIT response 






containing (IKE Header 






containing IKE SA Initiators SPI 






set to IKE SA Initiators SPI 






received in IKE SA INIT request 






and containing IKE SA Responders SPI not set to 






and containing Major Version set to 2 






and containing Exchange Type set to 34 IKE SA INIT 






and containing Flags set to 00000100 'B' 






and containing Message ID 






set to Message ID 






received in IKE SA INIT request) 






and containing (Security Association payload 






containing 1 proposal 






received in IKE SA INIT request) 






and containing Key Exchange payload 






and containing Nonce payload } 
} 







Test Purpose | 


Identifier: 


TP SEC 6403 01 


Summary: 


Test of generating IKE AUTH request 


References: 


RQ 002 6403, RQ 002 6034, RQ 002 6084, RQ 002 6085, RQ 


002 


6086, 


RQ 002 6232, 




RQ 002 6233, RQ 002 6236, RQ 002 6240, RQ 002 6250, RQ 


002 


6263, 


RQ 002 6310, 




RQ 002 6430, RQ 002 6431 








lUT Role: 


Host 


|Test Case: |TC 


SEC 


6403 


01 


with { lUT having sent IKE SA INIT request 








and lUT having received IKE SA INIT response 
1 








) 
ensure that 










{ when { lUT is requested to send IKE AUTH request } 








then { lUT sends IKE AUTH request 










containing (IKE Header 










containing 


IKE SA Initiators SPI 








set to 


IKE SA Initiators SPI 

received in IKE SA INIT request 








and containing 


IKE SA Responders SPI 








set to 


IKE SA Responders SPI 

received in IKE SA INIT response 








and containing 


Major Version set to 2 








and containing 


Exchange Type set to 3 5 IKE AUTH 








and containing 


Flags set to OOOIOOOO'B' 








and containing 


Message ID set to 1) 








and containing (Encrypted payload 








containing 


Identification payload initiator 
Next Payload field of previous 
payload is set to 35' 








and containing 


Authentication payload 








and containing 


(Security Association payload 
containing at least 1 proposal 

containing at least 1 transform) 








and containing 


Traffic Selector payload initiator 
Next Payload field of previous 
payload is set to 44 ' 








and containing 


Traffic Selector payload responder 
Next Payload field of previous 








} 


payload is set to 45 ' ) } 
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Test Purpose 


Identifier: 


TP_SEC_6405_01 


Summary: 


Test reaction on IKE AUTH request 


References: 




RQ 002 6405, RQ 002 6036, RQ 002 6232, RQ 002 6233, RQ 002 6236, RQ 002 6240, 






RQ 002 6250, RQ 002 6263, RQ 002 6312, RQ 002 6430, RQ 002 6431 




lUT Role: 


Host 


Test Case: 


TC SEC 6405 01 | 


with { lUT 


having received IKE SA INIT request 




and lUT 

} 
ensure that 


having sent IKE_SA_INIT_response 










{ when { 


lUT receives IKE AUTH request } 




then { 


lUT sends IKE_AUTH_response 






containing (IKE Header 








containing 


IKE SA_Initiators_SPI 






set to 


IKE SA Initiators SPI 

received in IKE_SA_INIT_request 






and containing 


IKE_SA_Responders_SPI 






set to 


IKE_SA_Responders_SPI 

sent in IKE_SA_INIT_response 






and containing 


Major Version set to 2 






and containing 


Exchange_Type set to 3 5 IKE^AUTH 






and containing 


Flags set to 00000100 'B' 






and containing 


Message ID 






set to 


Message ID 

received in IKE_AUTH_request) 






and containing (Encrypted payload 






containing 


Identification payload responder 

Next Payload field of previous payload 

is set to 36' 






and containing 


Authentication payload 






and containing 


(Security Association payload 
containing 1 proposal 

received in IKE_AUTH_request) 






and containing 


Traffic Selector payload_initiator 
Next Payload field of previous payload 
is set to 44 ' 






and containing 


Traffic Selector payload responder 
Next Payload field of previous payload 




} 




is set to 45 ' } 
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Test Purpose 


Identifier: 


TP_SEC_6407_01 | 


Summary: 


Test of generating CREATE 


CHILD SA request 






References: 


RQ 002 6407, RQ 002 6035, RQ 002 6084, RQ 002 6085, RQ 002 


6086, 


RQ 002 6128, 




RQ 002 6129, RQ 002 6232, RQ 002 6233, RQ 002 6236, RQ 002 


_6240, 


RQ_002_6250, 




RQ 002 6263, RQ 002 6344 






lUT Role: 


Host 


iTest Case: |TC_SEC 


6407 


01 


with { lUT having completed IKE SA INIT exchange 






and lUT having completed IKE AUTH 

} 
ensure that 


exchange 












{ when { lUT is requested to send CREATE_CHILD_SA_reque£5t } 






then { lUT sends CREATE_CHILD_SA_request 






containing (IKE Header 








containing 


IKE_SA_Initiators_SPI 






set to 


IKE_SA_Initiators_SPI 






sent 


or received in the IKE_SA_INIT_request 






and containing 


IKE SA Responders SPI 






set to 


IKE SA Responders SPI 






sent 


or received in the IKE SA INIT response 






and containing 


Major Version set to 2 






and containing 


Exchange_Type set to 3 6 CREATE_CHILD_SA 






and containing 


Flags set to OOOIOOOO'B' 






and containing 


Message ID 






set to 


previous sent Message ID plus 1) 






and containing (Encrypted payload 






containing 


(Security Association payload 
containing at least 1 proposal 

containing at least 1 transform) 






and containing 


(Nonce payload 
containing Nonce Data 

of at least 128 bits 
and 'at least half the 
prf key length') 






and containing 


Traffic Selector_payload initiator 
Next Payload field of previous 
payload is set to 44 ' 






and containing 


Traffic Selector payload responder 
Next Payload field of previous 






} 


payload is set to 45 ' ) } 
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Test Purpose 


Identifier: 


TP SEC 6409 01 


Summary: 


Test reaction on CREATE CHILD SA request 


References: 


RQ 002 6409, RQ 002 6036, RQ 002 6232, RQ 002 6233, RQ 
RQ 002 6250, RQ 002 6263, RQ 002 6344 


_002_ 


_6236, RQ_002_6240, 


lUT Role: 


Host Test Case: TC 


SEC 


6409 01 


with { lUT having completed IKE SA INIT exchange 






and lUT having completed IKE AUTH exchange 

} 
ensure that 










{ when { lUT receives CREATE CHILD SA request } 






then { lUT sends CREATE CHILD SA response 






containing (IKE Header 






containing IKE SA Initiators SPI 






set to IKE SA Initiators SPI 






sent or received in the IKE SA INIT request 






and containing IKE SA Responders SPI 






set to IKE SA Responders SPI 






sent or received in the IKE SA INIT request 






and containing Major Version set to 2 






and containing Exchange Type set to 3G CREATE CHILD 


SA 




and containing Flags set to OOOOOIOO'B' 






and containing Message ID 






set to Message ID 






received in CREATE CHILD SA request) 






and containing (Encrypted payload 






containing (Security Association payload 






containing 1 proposal 






received in CREATE CHILD SA request) 




and containing Nonce payload 






and containing Traffic Selector payload initiator 






'Next Payload field of previous 






payload is set to 44 ' 






and containing Traffic Selector_payload_responder 






'Next Payload field of previous 






payload is set to 45 ' ) } 
} 







Test Purpose | 


Identifier: 


TP SEC 6411 


01 




1 


Summary: 


Test of generating INFQRIVIATIQNAL request 


References: 


RQ 002 6411 
RQ 002 6250 


RQ_002_6035, RQ_002_6232, RQ_002_6233, RQ_002_ 


_6236, 


RQ_002_6240, 


lUT Role: 


Host 


iTestCase: |TC SEC 


6411 


01 


with { lUT having established 

} 
ensure that 


an IKE Security Association 












{ when { lUT is requested to send INFORMATIONAL request } 






then { lUT sends INFORMATIONAL request 






containing 


IKE_Header 

containing IKESAInitiatorsSPI 

set to IKE_SA_Initiators_SPI 

sent or received in the IKE SA INIT request 






and 


containing IKE_SA_Responders_SPI 
set to IKE_SA_Responders_SPI 
sent or received in the IKE SA INIT request 






and 


containing Major Version set to 2 






and 


containing Exchange Type set to 3 7 INFORMATIONAL 






and 


containing Flags set to OOOIOOOO'B' 






and 


containing Message ID 

set to previous sent Message ID plus 1) 






and containing 


Encrypted payload 

containing or more Notify payload 






and 


containing or more Delete payload 






and 
} 


containing or more Configuration payload) } 







ETSI 



22 



ETSI TS 102 593 V1.2.0 (2008-04) 



Test Purpose 


Identifier: 


TP SEC 6412 


01 




Summary: 


Test reaction on INFORMATIONAL request | 


References: 


RQ 002 6412 
RQ 002 6250 


RO_002_6036, RQ_002_6232, RO_002_6233, RO_002_ 


_6236, RO_002_6240, 


lUT Role: 


Host 


Test Case: TC SEC 


6412 01 


with { lUT having established 

} 
ensure that 


an IKE Security Association 








{ when { lUT receives INFORMATIONAL request } 




then { lUT sends INFORMATIONAL response 




containing 


IKE_Header 

containing IKE SA Initiators SPI 

set to IKE SA Initiators SPI 

sent or received in the IKE SA INIT request 




and 


containing IKE_SA_Responders_SPI 
set to IKE_SA_Responders_SPI 
sent or received in the IKE SA INIT request 




and 


containing Major Version set to 2 




and 


containing Exchange Type set to 3 7 INFORMATIONAL 




and 


containing Flags set to OOOOOIOO'B' 




and 


containing Message ID 
set to Message ID 

received in INFORMATIONAL request) 




and containing 


Encrypted payload 

containing or more Notify payload 




and 


containing or more Delete payload 




and 
} 


containing or more Configuration payload) } 





A.3.2 IKE Header and Payload Formats 
A.3.2.1 Configuration payload 



Test Purpose 


Identifier: 


TP SEC 6468 01 


Summary: 


Test reaction on INFORIVIATIONAL request witti unsupported Configuration payload 


References: 


RQ 002 6468 


lUT Role: 


Host iTestCase: |TC SEC 6468 01 


with { lUT having 
1 


established an IKE Security Association 


1 
ensure that 






{ when { 




lUT receives INFORMATIONAL_request 

containing (Configuration payload 

containing Configuration Type 
set to 1 CFG_REQUEST 
and containing any unsupported 

Configuration Attribute) } 


then { 




lUT sends INFORMATIONAL_response 

containing (Configuration payload 

containing Configuration Type 
set to 2 CFG_REPLY 
and not containing any unsupported 

Configuration Attribute) 


} 


or 


not containing (Configuration payload) } 
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A.3.2.2 IKE Error Types 



Test Purpose 



Identifier: 



TP SEC 6365 01 



Summary: 



Test reaction on INFORMATIONALrequest containing incorrect value 



References: 



RQ 002 6365, RQ 002 6368 



lUT Role: 



Host 



Test Case: 



TC SEC 6365 01 



with { lUT having established an IKE_Security_Association 
} 



ensure that 
{ when 



} 



lUT receives INFORMATIONAL^request 

containing 'syntactically incorrect value' 
then { lUT sends INFORMATIONAL_response 
containing (Encrypted_payload 

containing Notify_payload 

containing Notify_Message_Type 
set to 7 INVALID_SYNTAX) } 



Test Purpose 


Identifier: 


TP SEC 6375 01 


Summary: 


Test reaction on CREATE CHILD SA request containing Traffic Selectors indicating address range 


References: 


RQ 002 6375 


lUT Role: 


Host iTestCase: |TC SEC 6375 01 


with { lUT having established an IKE Security Association 


and lUT 'only supporting Traffic Selectors specifying a 


single pair of addresses' 

} 
ensure that 


{ when { lUT receives CREATE CHILD SA request 


containing (Traffic Selector payload 


containing Traffic Selector 


indicating 'address range') } 


then { lUT sends CREATE CHILD SA response 


containing (Notify payload 


containing Notify Message Type 


set to 34 SINGLE PAIR REQUIRED) } 


} 



Test Purpose 



Identifier: 



TP SEC 6376 01 



Summary: 



Test reaction on CREATECHILDSA request when no more CHILD_SA can be established 



References: 



RQ 002 6376 



lUT Role: 



Host 



Test Case: 



TC SEC 6376 01 



and 



with { 

} 

ensure that 

{ when 

then 



lUT having established an IKE_Security_Association 
lUT 'unable to establish any further CHILD_SA' 



{ lUT receives CREATE_CHILD_SA_request } 
{ lUT sends CREATE_CHILD_SA_response 
containing (Notify_payload 

containing Notify_Message_Type 

set to 3 5 NO_ADDITIONAL_SAS) } 
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Test Purpose 


Identifier: 


TP SEC 6379 01 


Summary: 


Test reaction on CREATE CHILD SA request containing unacceptable Traffic Selectors 


References: 


RQ 002 6379 


lUT Role: 


Host iTestCase: |TC SEC 6379 01 


with { lUT having established an IKE Security Association 

} 
ensure that 


{ when { lUT receives CREATE CHILD SA request 


containing (Traffic Selector payload 


containing 1 or more 


unacceptable Traffic Selector) } 


then { lUT sends CREATE CHILD SA response 


containing (Notify payload 


containing Notify Message Type 


set to 3 8 TS UNACCEPTABLE) } 
} 



Test Purpose | 


Identifier: 


TP SEC 6393 01 


Summary: 


Test reaction on CREATE CHILD SA request containing transport mode request 


References: 


RQ 002 6393 


lUT Role: 


Host iTestCase: ITC SEC 6393 01 


with { 


lUT having established an IKE Security Association 


} 
ensure 


and lUT ' ready to accept transport mode request ' 


that 


{ 


when { lUT receives CREATE CHILD SA request 




containing (Notify payload 




containing Notify Message Type 




set to 16391 USE TRANSPORT MODE) } 




then { lUT sends CREATE CHILD SA response 




containing (Notify payload 




containing Notify Message_Type 


} 


set to 16391 USE_TRANSPORT_MODE) } 



Test Purpose | 


Identifier: 


TP SEC 6394 01 


Summary: 


Test reaction on CREATE CHILD SA request containing transport mode request 


References: 


RQ 002 6394 


lUT Role: 


Host Test Case: 


|TC SEC 6394 01 


with { 


lUT having established an IKE Security Association 




} 
ensure 


and lUT 'not ready to accept transport mode request' 




that 




{ 


when { lUT receives CREATE_CHILD_SA_request 
containing (Notify payload 

containing Notify Message Type 






set to 16391 USE TRANSPORT MODE) 


} 




then { lUT sends CREATE CHILD SA response 






not containing (Notify payload 






containing Notify Message Type 






set to 16391 USE TRANSPORT MODE) 


} 


} 
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A.3.3 IKE Informational Exchanges 



Test Purpose 


Identifier: 


TP SEC 6007 01 


Summary: 


Test reaction on INFORMATIONAL request without payload 


References: 


RO 002 6007, RO 002 6012 


lUT Role: 


Host iTestCase: ITC SEC 6007 01 


with { lUT having established an IKE Security Association 

} 
ensure that 

{ when { lUT receives INFORMATIONAL_request 
not containing a payload } 
then { lUT sends INFORMATIONAL response } 
} 



Test Purpose 


Identifier: 


TP SEC 6014 01 


Summary: 


Test of generating INFORIVIATIONAL request with Delete payload for IKE SA 


References: 


RO 002 6014, RO 002 6016, RO 002 6062, RO 002 6064, RO 002 6415,RO 002 6416, 




RO 002 6417 


lUT Role: 


Host iTestCase: |TC SEC 6014 01 


with { lUT having established an IKE Security Association 

} 
ensure that 


{ when { lUT is requested to send INFORMATIONAL request 


containing Delete payload } 


then { lUT sends INFORMATIONAL request 


containing IKE Header 


and containing (Encrypted payload 


containing Delete payload 


containing Protocol ID indicating 1 


and containing SPI Size indicating 


and not containing SPI) } 

} 



Test Purpose 


Identifier: 


TP SEC 6014 02 


Summary: 


Test of generating INFORIVIATIONAL request with Delete payload for CHILD SA 


References: 


RO 002 6014, RO 002 6016, RO 002 6060, RO 002 6061, RO 002 6415,RO 002 6416, 




RO 002 6417 


lUT Role: 


Host ITestCase: iTC SEC 6014 02 


with { lUT having established an IKE Security Association 


and lUT having established at least 1 CHILD SA 

} 
ensure that 


{ when { lUT is requested to send INFORMATIONAL request 


containing Delete payload } 


then { lUT sends INFORMATIONAL request 


containing IKE Header 


and containing (Encrypted payload 


containing Delete payload 


containing Protocol ID indicating 2 or 3 


and containing SPI Size indicating 4 


and containing SPI) } } 
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A.3.4 IKE Protocol 



A.3.4.1 Authentication 



A.3.4.1.1 



Extensible Authentication Methods 



Test Purpose 


Identifier: 


TP SEC 6151 01 


Summary: 


Test of generating IKE AUTH request for extensible authentication metliods, message 3 


References: 


RQ 002 6151 


lUT Role: 


Host iTestCase: |TC SEC 6151 01 


with { ordered ( lUT having sent IKE_SA_INIT_request 

and lUT having received IKE SA INIT response ) 
and lUT configured 'to use extensible authentication methods' 

} 
ensure that 

{ when { lUT is requested to send IKE_AUTH_request } 
then { lUT sends IKE_AUTH_request 

not containing Authentication payload } 

} 



Test Purpose 



Identifier: 



TP SEC 6152 01 



Summary: 



Test reaction on IKE_AUTH request for extensible autlientication methods, message 3 



References: 



RQ 002 6152, RQ 002 6153 



lUT Role: 



Host 



Test Case: 



TO SEC 6152 01 



with { ordered ( 



lUT having received IKE_SA_INIT_request 
and lUT having sent IKE_SA_INIT_response ) 
and lUT configured 'to support extensible authentication methods' 



receives IKE_AUTH_request 
containing Authentication_payload } 
sends IKE_AUTH_response 
containing Ext ens ible_Authenti cat ion_Protocol_pay load 
and containing Identif icationpayload 
and containing Authentication_payload 
and not containing Security_Association_payload 
and not containing any Traf f ic_Selector_payload } 



ensure that 






{ when 


{ 


lUT 
not 


then 


{ 


lUT 



Test Purpose 


Identifier: 


TP SEC 6153 01 


Summary: 


Test of generating IKE AUTH request for extensible authentication methods, message 5 


References: 


RQ 002 6153 


lUT Role: 


Host Test Case: 


|TG SEC 6153 01 


with { 

} 
ensure 

{ 
} 


ordered 

and lUT 


( lUT having sent IKE_SA_INIT_request 

and lUT having received IKE SA INIT response 

and lUT having sent IKE_AUTH_request 

and lUT having received IKE_AUTH_response 

configured 'to use extensible authentication' 


'message 1' 
'message 2 ' 
'message 3 ' 
'message 4' ) 


that 

when { 
then { 


lUT is requested to send IKE_AUTH_request } 
lUT sends IKE_AUTH_request 

containing Extensible Authentication Protocol 


payload } 
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Test Purpose 



Identifier: 



TP SEC 6161 01 



Summary: 



Test reaction on IKE_AUTH request for extensible authentication methods, message 5 



References: 



RQ 002 6161 



lUT Role: 



Host 



Test Case: 



TC SEC 6161 01 



with { ordered ( 



lUT having received IKE_SA_INIT_request 'message 

and lUT having sent IKE_SA_INIT_response 'message 

and lUT having received IKE_AUTH_request 'message 

and lUT having sent IKE_AUTH_response 'message 



and lUT having completed 'authentication method successfully' 



ensure that 
{ when 



{ 



lUT receives IKE_AUTH_request 

containing Extensible_Authentication_Protocol_payload } 
then { lUT sends IKE_AUTH_response 

containing (Ext ens ible_Authenti cat ion_Protocol_pay load 
containing Code set to 3 'success' } 



Test Purpose 


Identifier: 


TP SEC 6162 01 


Summary: 


Test reaction on IKE AUTH request for extensible authentication methods, message 5 


References: 


RQ 002 6162, RQ 002 6374 


lUT Role: 


Host iTestCase: ITC SEC 6162 01 


with { ordered 


( lUT having received IKE SA INIT request 'message 1' 




and lUT having sent IKE SA INIT response 'message 2' 




and lUT having received IKE AUTH request 'message 3' 




and lUT sent IKE AUTH response 'message 4' ) 


and lUT 

} 
ensure that 


having completed 'authentication method unsuccessfully' 




{ when { 


lUT receives IKE AUTH request 




containing Extensible Authentication Protocol payload } 


then { 


lUT sends IKE AUTH response 




containing (Notify payload 




containing Notify Message Type 


} 


set to 24 AUTHENTICATION FAILED) } 



Test Purpose 



Identifier: 



TP SEC 6164 01 



Summary: 



Test of generating IKE_AUTH request for extensible authentication methods, message 7 



References: 



RQ 002 6164 



|TC_SEC_6164_01 



lUT Role: 



Host 



Test Case: 



with { ordered ( lUT having sent IKE_SA_INIT_request 'message 1 

and lUT having received IKE_SA_INIT_response 'message 2 

and lUT having sent IKE_AUTH_request 'message 3 

and lUT having received IKE_AUTH response 'message 4 

and lUT having sent IKE_AUTH_request 'message 5 

and lUT having received IKE_AUTH_response 'message 6 
and lUT 'ready to finalize extensible authentication' 



} 
ensure that 

{ when { 
then { 

} 



lUT is requested to send IKE_AUTH_request } 
lUT sends IKE_AUTH_request 

containing Authentication_payload } 
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Test Purpose 



Identifier: 



TP SEC 6164 02 



Summary: 



Test reaction on IKE_AUTH request for extensible authentication methods, message 7 



References: 



RQ 002 6164 



lUT Role: 



Host 



Test Case: 



TC SEC 6164 02 



with { ordered ( 



lUT having received IKE_SA_INIT_request 'message 

and lUT having sent IKE_SA_INIT_response 'message 

and lUT having received IKE_AUTH_request 'message 

and lUT having sent IKE_AUTH_response 'message 

and lUT having received IKE_AUTH_request 'message 

and lUT having sent IKE_AUTH_response 'message 
and lUT having completed 'authentication method successfully' 

that 

when { lUT receives IKE_AUTH_request 

containing Authentication_payload } 
then { lUT sends IKE_AUTH_response 

containing Authentication_payload 
and containing Security_Association_payload 
and containing Traf f ic_Selector_payload_initiator 

'Next Payload field of previous 
payload has value 44 ' 
and containing Traf f ic_Selector_payload_responder 

'Next Payload field of previous 
payload has value 45 ' } 



A.3.4.2 Error Handling 



Test Purpose 


Identifier: 


TP SEC 6186 01 


Summary: 


Test reaction on badly formatted IKE SA INIT request 


References: 


RQ 002 6186 


lUT Role: 


Host iTestCase: ITC SEC 6186 01 


with { lUT ready to receive IKE_SA_INIT_request 
and lUT ready to send IKE SA INIT response 

} 
ensure that 

{ when { lUT receives badly formatted IKE^SA^INIT^request } 
then { lUT sends IKE_SA_INIT_response 
containing Notify payload } 
} 



Test Purpose 


Identifier: 


TP SEC 6186 02 


Summary: 


Test reaction on badly formatted IKE AUTH request 


References: 


RQ 002 6186 


lUT Role: 


Host iTestCase: |TC SEC 6186 02 


with { ordered ( lUT having received IKE_SA_INIT_request 
and lUT having sent IKE SA INIT response 

} 
ensure that 

{ when { lUT receives badly formatted IKEAUTHrequest } 
then { lUT sends IKE_AUTH_response 

containing Notify payload } 
} 
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Test Purpose 


Identifier: 


TP SEC 6188 01 


Summary: 


Test reaction on badly formatted IKE SA INIT response 


References: 


RQ 002 6188 


lUT Role: 


Host |Test Case: 


|TC SEC 6188 01 | 


with { lUT having sent IKE SA INIT reque£5t 

} 
ensure that 

{ when { lUT receives badly formatted IKE_SA_INIT_response } 

then { lUT sends no response } 
} 



Test Purpose 


Identifier: 


TP SEC 6188 02 


Summary: 


Test reaction on badly formatted IKE AUTH response 


References: 


RQ 002 6188 


lUT Role: 


Host iTestCase: ITC SEC 6188 02 


with { ordered ( lUT having sent IKE_SA_INIT_request 

and lUT having received IKE SA INIT response 
and lUT having sent IKE AUTH request ) 

} 
ensure that 

{ when { lUT receives badly formatted IKE_AUTH_response } 

then { lUT sends no response } 
} 



Test Purpose 


Identifier: 


TP SEC 6189 01 


Summary: 


Test reaction on request outside of known IKE SA 


References: 


RQ 002 6189, RQ 002 6190, RQ 002 6191 


lUT Role: 


Host iTestCase: |TC SEC 6189 01 


with { lUT having no IKE Security Association 

} 
ensure that 

{ when { lUT receives CREATE_CHILD_SA request on UDPj)ort_500 } 
then { lUT sends CREATE_CHILD_SA_response on UDP_port_5 00 
containing destination address 
set to source address 

received in CREATE_CHILD_SA_request 
and containing (IKE Header 

containing IKE SA_Initiators SPI 
set to IKE SA Initiators SPI 

received in CREATE_CHILD_SA_request 
and containing IKE SA Responders SPI 
set to IKE_SA_Responders_SPI 

received in CREATE_CHILD_SA_request 
and containing Message ID 
set to Message ID 

received in CREATE CHILD SA request) 
and not containing an Encrypted payload 
and containing (Notify payload ~- Not encrypted 
containing Notify Message Type 

set to 4 INVALID IKE SPI ) } 
} 
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Test Purpose 


Identifier: 


TP SEC 6189 02 


Summary: 


Test reaction on request outside of known IKE SA 


References: 


RQ 002 6189, RQ 002 6190, RQ 002 6191 


lUT Role: 


Host iTestCase: |TC SEC 6189 02 


with { lUT having no IKE Security Association 

} 
ensure that 

{ when { lUT receives INFORMATIONAL_request on UDP_port_4500 } 
then { lUT sends INFORMATIONAL_response on UDP_port_4500 
containing destination address 

set to source address received in INFORMATIONAL request 
and containing (IKE Header 

containing IKE_SA_Initiators_SPI 
set to IKE SA Initiators SPI 

received in INFORMATIONAL_request 
and containing IKE SA Responders SPI 
set to IKE SA Responders SPI 

received in INFORMATIONAL_request 
and containing Message ID 
set to Message ID 

received in INFORMATIONAL_request 
and not containing an Encrypted payload 
and containing (Notify payload -- Not encrypted 
containing Notify Message Type 
set to 4 INVALID IKE SPI) } 
} 



Test Purpose 


Identifier: 


TP SEC 6023 01 


Summary: 


Test reaction on cryptographically unprotected response indicating invalid SPI 


References: 


RQ 002 6023, RQ 002 6194 


lUT Role: 


Host ITestCase: ITC SEC 6023 01 


with { lUT having established an IKE Security Association 
1 


) 
ensure that 




{ when 


{ lUT receives CREATE CHILD SA response 




containing (IKE Header 




containing unknown IKE SA Initiators SPI 




and containing unknown IKE SA Responders SPI) 




and not containing an Encrypted payload 




and containing (Notify payload -- Not encrypted 




containing Notify Message Type 




set to 4 INVALID IKE SPI) } 


then 
} 


{ lUT sends no response } 



Test Purpose | 


Identifier: 


TP SEC 6023 02 


Summary: 


Test reaction on cryptographically unprotected response indicating invalid SPI 


References: 


RQ 002 6023, RQ 002 6194 


lUT Role: 


Host ITestCase: iTC SEC 6023 02 


with { lUT having established an IKE Security Association 
1 


) 
ensure that 




{ when 


{ lUT receives INFORMATIONAL response 




containing (IKE Header 




containing unknown IKE SA Initiators SPI 




and containing unknown IKE SA Responders SPI) 




and not containing an Encrypted payload 




and containing (Notify payload -- Not encrypted 




containing Notify Message Type 




set to 4 INVALID IKE SPI) } 


then 

} 


{ lUT sends no response } 
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Test Purpose 



Identifier: 



TP SEC 6023 03 



Summary: 



Test reaction on INFORMATIONAL_request with Notify payload without cryptographic protection 



References: 



RQ 002 6023, RQ 002 6022 



lUT Role: 



Host Test Case: TC SEC 6023 03 



with { lUT having established an IKE_Security_Association 

} 
ensure that 

{ when { lUT receives INFORMATIONAL_request 
not containing an Encryptedpayload 

containing (Notify_payload -- Not encrypted 
containing Notify_Message_Type 
set to 4 INVALID_IKE_SPI) } 
then { lUT sends no INFORMATIONAL_response } 
} 



A.3.4.3 General Protocol Handling 
A.3.4.3.1 Address and Port Agility 



Test Purpose 



Identifier: 



TP SEC 6206 01 



Summary: 



Test reaction on IKE_SA_INIT request received from UDP port other than 500 or 4 500 



References: 



RQ_002_6206. RQ_002_6131, RQ_002_6212 



lUT Role: 



Host Test Case: TC SEC 6206 01 



with { lUT ready to receive IKE_SA_INIT_request 
and lUT ready to send IKE_SA_INIT_response 

} 
ensure that 

{ when { lUT receives IKE_SA_INIT_request not from UDP_port_500 

and not from UDP_port_4500 } 
then { lUT sends IKE_SA_INIT_response on 'UDP port from which request 

was received' } 
} 
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A.3.4.3.2 IP Compression (IPComp) 



Test Purpose 



Identifier: 



TP SEC 6385 01 



Summary: 



Test reaction on CREATE_CHILD_SA request with compression offer 



References: 



RQ 002 6385, RQ 002 6203 



lUT Role: 



Host 



Test Case: 



TC SEC 6385 01 



with { lUT having established an IKE_Security_Association 

} 
ensure that 

{ when { lUT receives CREATE_CHILD_SA_request 
containing IKEHeader 
and containing (Notify_payload 

containing Notify_Message_Type 

set to 163 8 7 IPCOMP_SUPPORTED 
and containing (Notif ication_Data 

containing transformID) 
and containing additional (Notifypayload 

containing Notify_Message_Type 

set to 163 8 7 IPCOMP_SUPPORTED 
and containing (Notif ication_Data 

containing transf orm_ID) } 
then { lUT sends CREATE_CHILD_SA_re£5ponse 
containing IKEHeader 
and optionally (containing (Notifypayload 

containing Notify_Message_Type 

set to 163 8 7 IPCOMP_SUPPORTED 
and containing (Notif icationData 

containing 1 transformID 
received in 

CREATE_CH I LD_SA_r eque s t ) 
and not containing additional (Notifypayload 

containing Notify_Message_Type 

set to 163 87 IPCOMP_SUPPORTED) } 



A. 3.4.3. 3 Message Format 



Test Purpose 


Identifier: 


TP SEC 6369 01 


Summary: 


Test reaction on request witli incorrect l\/lessage ID 


References: 


RQ 002 6369, RQ 002 6370 


lUT Role: 


Host |Test Case: 


|TC SEC 6369 01 


with { 

} 
ensure 


lUT having 


established an IKE Security Association 




that 








{ 


when 


{ 


lUT receives CREATE_CHILD_SA_request 
containing (IKE Header 

containing Message ID 'out of sequence' 


) } 




then 


{ 


lUT not sends CREATE_CHILD_SA_response 
and lUT optionally sends INFORMATIONAL_request 
containing (Notify payload 

containing Notify Message Type 

set to 9 INVALID MESSAGE ID) } 




} 
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Test Purpose 


Identifier: 


TP SEC 6369 02 


Summary: 


Test reaction on request with incorrect l\/lessage ID 


References: 


RQ 002 6369, RQ 002 6370 


lUT Role: 


Host iTestCase: |TC SEC 6369 02 


with { 

} 
ensure 


lUT having 


established an IKE Security Association 


that 






{ 


when 


{ 


lUT receives INFORMATIONAL_request 
containing (IKE Header 

containing Message ID 'out of sequence' } 




then 


{ 


lUT not sends INFORMATIONAL_response 
and lUT optionally sends INFORMATIONAL_request 
containing (Notify payload 

containing Notify Message Type 

set to 9 INVALID MESSAGE ID) } 


} 









A. 3.4.3.4 Overlapping Requests 



Test Purpose 



Identifier: 



TP SEC 6041 01 



Summary: 



Test reaction on request when sent request is not answered 



References: 



RQ 002 6041 



lUT Role: 



Host 



Test Case: 



TC SEC 6041 01 



with { lUT having established IKE_Security_Association 
and lUT having sent CREATE_CHILD_SA_request 
and lUT not having received CREATE_CHILD_SA_response 

} 
ensure that 

{ when { lUT receives CREATE_CHILD_SA_request } 

then { lUT sends CREATE_CHILD_SA_response } 
} 



Test Purpose 


Identifier: 


TP SEC 6041 02 


Summary: 


Test reaction on request when sent request is not answered 


References: 


RQ 002 6041 


lUT Role: 


Host ITestCase: ITC SEC 6041 02 


with { lUT having established an IKE Security Association 
and lUT having sent INFORMATIONAL_request 
and lUT not having received INFORMATIONAL response 

} 
ensure that 

{ when { lUT receives INFORMATIONAL_request } 

then { lUT sends INFORMATIONAL response } 
} 
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A. 3.4.3. 5 Request Internal Address 



Test Purpose 


Identifier: 


TP SEC 6177 01 


Summary: 


Test reaction on IKE AUTH request with Configuration Payload 


References: 


RQ 002 6177, RQ 002 6178, RQ 002 6183, RQ 002 6462, RQ 002 6465 


lUT Role: 


Ipsec gateway Test Case: 


TC SEC 6177 01 1 


with { lUT configured ' to expect IKE_AUTH request to include 

the Configuration Payload' 

} 
ensure that 

{ when { lUT receives IKE_AUTH_request 

containing (Configuration payload 

containing Configuration Type 
set to 1 CFG_REQUEST 
and containing (Configuration Attribute 

containing Attribute Type 

set to 8 INTERNAL_IP6_ADDRESS } 
then { lUT sends IKE_AUTH_response 

containing (Configuration Payload 

containing Configuration Type 
set to 2 CFG_REPLY 
and containing (Configuration Attribute 

containing Attribute Type 

set to 8 INTERNAL_IP6_ADDRESS 
and containing Attribute Value 
set to IPv6 Address) 
before the Security Association payload } 
} 



Test Purpose | 


Identifier: 


TP SEC 6184 01 


Summary: 


Test reaction on IKE AUTH request without Configuration Payload 


References: 


RQ 002 6184, RQ 002 6462 


lUT Role: 


Ipsec gateway | Test Case: |TC SEC 6184 01 


with { lUT configured 'to expect IKE AUTH request to include 

the Configuration Payload' 

} 
ensure that 

{ when { lUT receives IKE_AUTH_request 

not containing (Configuration payload 

containing Configuration Type 
set to 1 CFG_REQUEST } 
then { lUT sends IKE_AUTH_response 

containing (Notify payload 

containing Notify Message Type 

set to 3 7 FAILED CP REQUIRED) } 
} 



A. 3.4. 3.6 Retransmission Timers 



Test Purpose 


Identifier: 


TP SEC 6030 01 


Summary: 


Test reaction on repeated IKE SA INIT request 


References: 


RQ 002 6030, RQ 002 6046 


lUT Role: 


Host iTestCase: |TC SEC 6030 01 


with { ordered ( lUT having received IKE_SA_INIT_request 
and lUT having sent IKE SA INIT response 

} 
ensure that 

{ when { lUT receives previous IKE SA INIT request -- i.e. the same as the 

-- one that it has 
-- already answered 

} 
then { lUT resends previous IKE SA INIT response } 

} 
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Test Purpose 


Identifier: 


TP SEC 6030 02 


Summary: 


Test reaction on repeated IKE AUTH request 


References: 


RQ 002 6030, RQ 002 6046 


lUT Role: 


Host iTestCase: |TC SEC 6030 02 


with { ordered ( lUT having received IKE_AUTH_request 
and lUT having sent IKE AUTH response) 

} 
ensure that 

{ when { lUT receives previous IKE AUTH request -- i.e. the same as the 

-- one that it has 
-- already answered 

} 
then { lUT resends previous IKE AUTH response } 

} 



Test Purpose | 


Identifier: 


TP SEC 6030 03 


Summary: 


Test reaction on repeated CREATE CHILD SA request 


References: 


RQ 002 6030, RQ 002 6046 


lUT Role: 


Host iTestCase: |TC SEC 6030 03 


with { ordered ( lUT having received CREATE_CHILD_SA_request 
and lUT having sent CREATE CHILD SA response) 

} 
ensure that 

{ when { lUT receives previous CREATE_CHILD_SA_request -- i.e. the same as 

-- the one that it 
-- has already 
-- answered 

} 
then { lUT resends previous CREATE CHILD SA response } 

} 



Test Purpose 


Identifier: 


TP SEC 6030 04 


Summary: 


Test reaction on repeated INFQRIVIATIQNAL request 


References: 


RQ 002 6030, RQ 002 6046 


lUT Role: 


Host ITestCase: ITC SEC 6030 04 


with { ordered ( lUT having received INFORMATIONAL request 
and lUT having sent INFORMATIONAL response) 

} 
ensure that 

{ when { lUT receives previous INFORMATIONAL request -- i.e. the same as 

- - the one that it 
-- has already 
-- answered 

} 
then { lUT resends previous INFORMATIONAL response } 

} 



Test Purpose | 


Identifier: 


TP SEC 6033 01 


Summary: 


Test resending of unanswered IKE SA INIT request 


References: 


RQ 002 6033, RQ 002 6045 


lUT Role: 


Host ITestCase: |TC SEC 6033 01 


with { lUT having sent IKE SA INIT request 

} 
ensure that 

{ when { lUT receives no IKE_SA_INIT_response } 
then { lUT resends previous IKE SA INIT request } 

} 



ETSI 



36 



ETSI TS 102 593 V1.2.0 (2008-04) 



Test Purpose 


Identifier: 


TP SEC 6033 02 


Summary: 


Test resending of unanswered IKE AUTH request 


References: 


RQ 002 6033, RQ 002 6045 


lUT Role: 


Host |Test Case: 


|TC SEC 6033 02 | 


with { lUT having sent IKE AUTH request 

} 
ensure that 

{ when { lUT receives no IKE AUTH response } 

then { lUT resends previous IKE AUTH request } 
} 



Test Purpose 


Identifier: 


TP SEC 6033 03 


Summary: 


Test resending of unanswered CREATE CHILD SA request 


References: 


RQ 002 6033, RQ 002 6045 


lUT Role: 


Host iTestCase: ITC SEC 6033 03 


with { lUT having sent CREATE CHILD SA request 

} 
ensure that 

{ when { lUT receives no CREATE_CHILD_SA_response } 

then { lUT resends previous CREATE CHILD SA request } 
} 



Test Purpose 


Identifier: 


TP SEC 6033 04 


Summary: 


Test resending of unanswered INFORMATIQNAL request 


References: 


RQ 002 6033, RQ 002 6045 


lUT Role: 


Host ITestCase: iTC SEC 6033 04 


with { lUT having sent INFORMATIONAL request 

} 
ensure that 

{ when { lUT receives no INFORMATIONAL_response } 

then { lUT resends previous INFORMATIONAL request } 

} 



A.3.4.3.7 Version Compatibility 



Test Purpose 


Identifier: 


TP SEC 6065 01 


Summary: 


Test reaction on IKE SA INIT request with major version > 2 


References: 


RQ 002 6065, RQ 002 6066, RQ 002 6237 


lUT Role: 


Host |Test Case: 


|TC SEC 6065 01 


with { lUT ready 

1 


to establish a Security Association using IKEv2 




) 
ensure that 








{ when { 




lUT receives IKE SA INIT request 
containing (IKE Header 

containing Major Version 

set to greater than 2) } 




then { 




lUT discards IKE SA INIT request 






and 


optionally ( 

lUT sends IKE_SA_INIT_response 
containing (Notify payload 

containing Notify Message Type 

set to 5 INVALID MAJOR VERSION) } 




} 









ETSI 



37 



ETSI TS 102 593 V1.2.0 (2008-04) 



Test Purpose 


Identifier: 


TP SEC 6065 02 


Summary: 


Test reaction on IKE AUTH request with major version > 2 


References: 


RQ 002 6065, RQ 002 6066, RQ 002 6237 


lUT Role: 


Host |Test Case: 


|TC SEC 6065 02 


with { ordered ( 


lUT having received IKE SA INIT request 




} 
ensure that 




and lUT having sent IKE_SA_INIT_response) 










{ when 


{ 


lUT receives IKE AUTH request 
containing (IKE Header 

containing Major Version 

set to greater than 2) } 




then 


1 


lUT discards IKE AUTH request 






and 


optionally ( 

lUT sends IKE_AUTH_response 

containing (Notify payload 

containing Notify Message Type 

set to 5 INVALID MAJOR VERSION) } 




} 









Test Purpose 


Identifier: 


TP_SEC_6065_03 | 


Summary: 


Test reaction on CREATE CHILD SA request witli major version 


>2 1 


References: 


RQ 002 6065, RQ 002 6066, RQ 002 6237 | 


lUT Role: 


Host |Test Case: 


|TC SEC 6065 03 


with { lUT having established an IKE Security Association 




) 
ensure that 








{ when 


{ 


lUT receives CREATE CHILD SA request 




then 


{ 


containing (IKE Header 

containing Major Version 

set to greater than 2) } 

lUT discards CREATE_CHILD_SA_request 
and optionally ( 

lUT sends CREATE CHILD SA response 




} 




containing (Notify payload 

containing Notify Message Type 

set to 5 INVALID MAJOR VERSION) } 





Test Purpose 


Identifier: 


TP SEC 6065 04 


Summary: 


Test reaction on INFQRMATIONAL request witli major version > 2 


References: 


RQ 002 6065, RQ 002 6066, RQ 002 6237 


lUT Role: 


Host Test Case: 


|TC SEC 6065 04 


with { lUT having established an IKE Security Association 
1 




) 
ensure that 








{ when 


{ 


lUT receives INFORMATIONAL_request 
containing (IKE Header 

containing Major Version 

set to greater than 2 } 




then 


I 


lUT discards INFORMATIONAL_request 
and optionally ( 

lUT sends INFORMATIONAL_response 
containing (Notify payload 

containing Notify Message Type 

set to 5 INVALID MAJOR VERSION) } 




} 









ETSI 



38 



ETSI TS 102 593 V1.2.0 (2008-04) 



Test Purpose 


Identifier: 


TP SEC 6068 01 


Summary: 


Test reaction on IKE SA INIT request with major version < 2 


References: 


RQ 002 6068, RQ 002 6067, RQ 002 6069 


lUT Role: 


Host |Test Case: 


|TC SEC 6068 01 


with { lUT ready to establish a Security Association using IKEv2 

} 
ensure that 






{ when { lUT receives IKE SA INIT request 




containing (IKE Header 




containing Major Version set to 1) } 




then { lUT sends IKE SA INIT response 




containing (IKE Header 




containing Major Version set to 1 




and containing V Bit set to 1) } 

} 





Test Purpose 


Identifier: 


TP SEC 6068 02 


Summary: 


Test reaction on IKE AUTH request with major version < 2 


References: 


RQ 002 6068, RQ 002 6067, RQ 002 6069 


lUT Role: 


Host Test Case: 


|TC SEC 6068 02 


with { ordered ( lUT having sent IKE SA INIT request 




} 
ensure that 


and lUT having received IKE_SA_INIT_response) 








{ when 


{ lUT receives IKE AUTH request 
containing (IKE Header 

containing Major Version set to 1) } 




then 


{ lUT sends IKE_AUTH_response 
containing (IKE Header 

containing Major Version set to 1 




} 


and containing V Bit set to 1) } 





Test Purpose 


Identifier: 


TP SEC 6068 03 


Summary: 


Test reaction on CREATE CHILD SA request with major version < 2 


References: 


RQ 002 6068, RQ 002 6067, RQ 002 6069 


lUT Role: 


Host iTestCase: |TC SEC 6068 03 


with { lUT having established an IKE Security Association 


) 
ensure that 




{ when 


{ lUT receives CREATE CHILD SA request 




containing (IKE Header 




containing Major Version set to 1) } 


then 


{ lUT sends CREATE CHILD SA response 




containing (IKE Header 




containing Major Version set to 1 


} 


and containing V Bit set to 1) } 



Test Purpose 



Identifier: 



TP SEC 6068 04 



Summary: 



Test reaction on INFQRMATIONAL_request with major version < 2 



References: 



RQ_002_6068, RQ_002_6067, RQ_002_6069 



lUT Role: 



Host 



Test Case: 



TC SEC 6068 04 



with { lUT having established an IKE_Security_Association 

} 
ensure that 

{ when { lUT receives INFORMATIONAL_request 
containing (IKEHeader 

containing Major_Version set to 1) } 
then { lUT sends INFORMATIONAL_response 
containing (IKEHeader 

containing Major_Version set to 1 
and containing VBit set to 1) } 
} 
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Test Purpose 


Identifier: 


TP SEC 6362 01 


Summary: 


Test reaction on CREATE CHILD SA request with unrecognized payload 


References: 


RQ 002 6362, RQ 002 6255 


lUT Role: 


Host iTestCase: |TC SEC 6362 01 


with { lUT having established an IKE Security Association 

} 
ensure that 


{ when { lUT receives CREATE CHILD SA request 


containing unrecognized (payload 


containing C Bit set to 1) } 


then { lUT sends CREATE CHILD SA response 


containing (Notify payload 


containing Notify Message Type 


set to 1 UNSUPPORTED CRITICAL PAYLOAD) } 
} 



Test Purpose 


Identifier: 


TP SEC 6362 02 


Summary: 


Test reaction on INFORIVIATIONAL request with unrecognized payload 


References: 


RQ 002 6362, RQ 002 6255 


lUT Role: 


Host iTestCase: ITC SEC 6362 02 


with { lUT having established an IKE Security Association 
1 


) 
ensure that 




{ when 


{ lUT receives INFORMATIONAL request 




containing unrecognized (payload 




containing C Bit set to 1) } 


then 


{ lUT sends INFORMATIONAL response 




containing (Notify payload 




containing Notify Message Type 




set to 1 UNSUPPORTED CRITICAL PAYLOAD) } 


} 





Test Purpose 



Identifier: 



TP SEC 6073 01 



Summary: 



Test reaction on CREATE_CHILD_SA request with unrecognized payload 



References: 



RQ 002 6073, RQ 002 6256 



lUT Role: 



Host 



Test Case: 



TC SEC 6073 01 



with { lUT having established an IKE_Security_Association 

} 
ensure that 

{ when { lUT receives CREATE_CHILD_SA_request 
containing unrecognized (payload 

containing CBit set to 0) } 
then { lUT sends CREATE_CHILD_SA_response 
not containing (Notify_payload 

containing Notify_Message_Type 

set to 1 UNSUPPORTED_CRITICAL_PAYLOAD) } 
} 



Test Purpose 


Identifier: 


TP SEC 6073 02 


Summary: 


Test reaction on INFQRMATIQNAL request with unrecognized payload 


References: 


RQ 002 6073, RQ 002 6256 


lUT Role: 


Host ITestCase: iTC SEC 6073 02 


with { 

} 
ensure 


lUT having established an IKE Security Association 


that 




{ 


when 


{ lUT receives INFORMATIONAL_request 

containing unrecognized (payload 

containing C Bit set to 0) } 




then 


{ lUT sends INFORMATIONAL_response 
not containing (Notify payload 

containing Notify Message Type 

set to 1 UNSUPPORTED CRITICAL PAYLOAD) } 


} 
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A.3.4.4 Security Parameter Negotiation 
A.3.4.4.1 Algorithm Negotiation 



Test Purpose | 


Identifier: 


TP SEC 6088 01 


Summary: 


Test reaction on IKE SA INIT request with several SA proposal 


References: 


RQ 002 6088, RQ 002 6271 


lUT Role: 


Host Test Case: 


|TC SEC 6088 01 


with { lUT ready to establish a Security Association using IKEv2 

} 
ensure that 






{ when { lUT receives IKE SA INIT request 




containing (Security Association payload 




containing at least 1 acceptable Proposal 


} 


then { lUT sends IKE SA INIT response 




containing (Security Association payload 




containing 1 Proposal) } 
} 





Test Purpose 


Identifier: 


TP SEC 6088 02 


Summary: 


Test reaction on IKE AUTH request with several SA proposal 


References: 


RQ 002 6088, RQ 002 6271 


lUT Role: 


Host iTestCase: |TC SEC 6088 02 


with { lUT having sent IKE_SA_INIT_request 

and lUT having received IKE SA INIT response 

} 
ensure that 

{ when { lUT receives IKE_AUTH_request 

containing (Security Association payload 

containing at least 1 acceptable Proposal) } 
then { lUT sends IKE_AUTH_response 

containing (Security Association payload 
containing 1 Proposal) } 

} 



Test Purpose 



Identifier: 



TP SEC 6088 03 



Summary: 



Test reaction on CREATE_CHILD_SA request with several SA proposal 



References: 



RQ 002 6088, RQ 002 6271 



lUT Role: 



Host Test Case: TC SEC 6088 03 



with { lUT having established an IKE_Security_Association 

} 
ensure that 

{ when { lUT receives CREATE_CHILD_SA_request 

containing (Security_Association_payload 

containing at least 1 acceptable Proposal) } 
then { lUT sends CREATE_CHILD_SA_response 

containing (Security_Association_payload 
containing 1 Proposal) } 
} 
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Test Purpose 


Identifier: 


TP SEC 6372 01 


Summary: 


Test reaction on IKE SA INIT request with unacceptable SA proposal 


References: 


RQ 002 6372 


lUT Role: 


Host iTestCase: |TC SEC 6372 01 


with { lUT ready to establish a Security Association using IKEv2 

} 
ensure that 


{ when { lUT receives IKE SA INIT request 


containing (Security Association payload 


containing no acceptable Proposal) } 


then { lUT sends IKE SA INIT response 


containing (Notify payload 


containing Notify Message Type 


set to 14 NO PROPOSAL CHOSEN) } 
} 



Test Purpose 


Identifier: 


TP SEC 6372 02 


Summary: 


Test reaction on IKE AUTH request with unacceptable SA proposal 


References: 


RQ 002 6372 


lUT Role: 


Host iTestCase: ITC SEC 6372 02 


with { lUT having sent IKE_SA_INIT_request 

and lUT having received IKE SA INIT response 

} 
ensure that 


{ when { lUT receives IKE AUTH request 


containing (Security Association payload 

containing no acceptable Proposal) } 
then { lUT sends IKE AUTH response 


containing (Notify payload 

containing Notify_Message_Type 

set to 14 NO PROPOSAL CHOSEN) } 
} 



Test Purpose 


Identifier: 


TP SEC 6372 03 


Summary: 


Test reaction on CREATE CHILD SA request with unacceptable SA proposal 


References: 


RQ 002 6372 


lUT Role: 


Host ITestCase: |TC SEC 6372 03 


with { lUT having established an IKE Security Association 

} 
ensure that 


{ when { lUT receives CREATE CHILD SA request 


containing (Security Association payload 


containing no acceptable Proposal) } 


then { lUT sends CREATE CHILD SA response 


containing (Notify payload 


containing Notify Message Type 


set to 14 NO PROPOSAL CHOSEN) } 


} 



Test Purpose 



Identifier: 



TP SEC 6373 01 



Summary: 



Test reaction on IKE_SA_INIT request with invalid Diffie-Hellman value 



References: 



RQ 002 6373, RQ 002 6306 



lUT Role: 



Host 



Test Case: 



TC SEC 6373 01 



with { lUT ready to establish a Security_Association using IKEv2 

} 
ensure that 

{ when { lUT receives IKE_SA_INIT_request 

containing (Key_Exchange_payload 

containing an invalid DHGroupnumber) } 
then { lUT sends IKE_SA_INIT_response 
containing (Notify_payload 

containing Notify_Message_Type 

set to 17 INVALID_KE_PAYLOAD) } 
} 
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A.3.4.4.2 Cookies 



Test Purpose 



Identifier: 



TP SEC 6081 01 



Summary: 



Test reaction on IKE_SA_INIT response with COOKIE Notify payload 



References: 



RO 002 6081, RQ 002 6080, RO 002 6391 



lUT Role: 



Host 



Test Case: 



TC SEC 6081 01 



} 



with { lUT having sent IKE_SA_INIT_request 

} 
ensure that 

{ when { lUT receives IKE_SA_INIT_response 
containing (Notify_payload 

containing Notify_Message_Type 
set to 16390 COOKIE 
and containing (Notif ication_Data 

containing ' Cookie data ' ) 
then { lUT sends IKE_SA_INIT_request 
containing (Notify_payload 

containing Notify_Message_Type 
set to 16390 COOKIE 
and containing Notif ication_Data 
set to Notif ication_Data 

received in IKE_SA_INIT_response) 
and containing 'all other payloads from initial 
request unchanged' } 
} 



A.3.4.4.3 Rekeying 



Test Purpose 



Identifier: 



TP SEC 6101 01 



Test of generating CREATE_CHILD_SA request for rekeying of ciiild SA 



Summary: 



References: 



RQ_002_6101, RQ_002_6172, RQ_002_6173, RO_002_6397 



lUT Role: 



Host 



Test Case: 



TC SEC 6101 01 



with { 



and 
and 



and 



} 

ensure that 

{ when 

then 



lUT having established an IKE_Security_Association 

lUT having established a CHILDSA 

lUT 'having detected that the lifetime of the CHILD_SA 

is about to expire' 
lUT 'able to rekey CHILD_SA within IKE_SA' 



{ lUT is requested to send CREATE_CHILD_SA_request } 
{ lUT sends CREATE_CHILD_SA_request 
containing (Notify_payload 

containing Notify_Message_Type 
set to 163 93 REKEY_SA) } 



Test Purpose 


Identifier: 


TP SEC 6102 01 


Summary: 


Test of deletion of old CREATE CHILD SA after rekeying 


References: 


RQ 002 6102 


lUT Role: 


Host iTestCase: ITC SEC 6102 01 


with { lUT having established an IKE_Security Association 
and lUT having established a CHILD_SA 
and lUT 'having detected that the lifetime of the CHILD_SA 

was about to expire' 
and lUT having sent CREATE CHILD SA request 'for rekeying' 

} 
ensure that 

{ when { lUT receives CREATE_CHILD_SA_response } 
then { lUT sends INFORMATIONAL_request 
containing (Delete payload 

containing Security Parameters Index 
indicating CHILD SA 'to be deleted') } 

} 
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Test Purpose 



Identifier: 



TP SEC 6103 01 



Test of generating CREATE_CHILD_SA request for rekeying of IKE SA 



Summary: 



References: 



RQ 002 6103 



lUT Role: 



Host 



Test Case: 



TC SEC 6103 01 



with { lUT having established an IKE_Security_Association 
and lUT having established a CHILDSA 

and lUT 'having detected that the lifetime of the IKE_SA 
was about to expire' 



} 
ensure that 
{ when 
then 



{ lUT is requested to send CREATE_CHILD_SA_request } 

{ lUT sends CREATE_CHILD_SA_request 

not containing Traf f ic_Selector_payload_initiator 

and not containing Traf f icSelector_payload_responder } 



Test Purpose 


Identifier: 


TP SEC 6105 01 


Summary: 


Test of deletion of old IKE SA after rekeying 


References: 


RQ 002 6105 


lUT Role: 


Host Test Case: 


|TC SEC 6105 01 


with { 


lUT having established an IKE Security Association 
and lUT having established a CHILDSA 

and lUT 'having detected that the lifetime of the CHILD_SA 
was about to expire' 




} 
ensure 


and lUT 'has rekeyed IKE_SA' 




that 




{ 


when { lUT is requested to send INFORMATIONAL request } 

then { lUT sends INFORMATIONAL_request 
containing (Delete payload 

containing Security_Parameters_Index 
indicating IKE Security Association 




} 


' to be deleted' ) } 





A. 3.4.4.4 Traffic Selector Negotiation 



Test Purpose | 


Identifier: 


TP_SEC_6123_01 1 


Summary: 


Test reaction on CREATE CHILD SA request with acceptable and 


unacceptable traffic selectors 


References: 


RQ 002 6123 | 


lUT Role: 


Host Test Case: 


|TC SEC 6123 01 


with { lUT having established an IKE Security Association 

} 
ensure that 






{ when { lUT receives CREATE CHILD SA request 




containing (Traffic Selector payload initiator 




containing first 




and acceptable Traffic Selector 




and containing next 




and unacceptable Traffic Selector) 




and containing (Traffic Selector payload responder 




containing first 




and acceptable Traffic Selector 




and containing next 




and unacceptable Traffic Selector) } 




then { lUT sends CREATE CHILD SA response 




containing (Traffic Selector payload initiator 




containing acceptable Traffic Selector 




received in CREATE CHILD SA request) 




and containing (Traffic Selector payload responder 




containing acceptable Traffic Selector 




received in CREATE CHILD SA request) } 
} 
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Test Purpose 


Identifier: 


TP_SEC_6125_01 1 


Summary: 


Test reaction 


3n CREATE CHILD SA request with acceptable and unacceptable traffic selectors 


References: 


RQ 002 6125, RQ 002 6383 | 


lUT Role: 


Host 


iTestCase: |TC SEC 6125 01 


with { lUT having established 

} 
ensure that 


an IKE Security Association 




{ when { lUT receives CREATE_CHILD_SA_request 


containing 


(Traffic Selector payload initiator 




containing Traffic Selector 




indicating 'a range of parameters of which 




only a subset is acceptable') 


and containing 


(Traffic Selector payload responder 




containing Traffic Selector 




set to 'a range of parameters of which 




only a subset is acceptable') } 


then { lUT sends CREATE_CHILD_SA_response 


containing 


(Traffic Selector payload initiator 




containing Traffic Selector 




set to 'acceptable subset of range' 




received in CREATE_CHILD_SA_request) 


and containing 


(Traffic Selector payload responder 




containing Traffic Selector 




set to 'acceptable subset of range' 




received in CREATE CHILD SA request) 


and optionally- 


( 


containing 


(Notify payload 




containing Notify Message Type 




set to 16386 ADDITIONAL_TS_POSSIBLE) } 


} 
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